**keschi Θ** @kescher@catcatnya.com · Dec 22, 2023, 14:11

**keschi Θ** @kescher@catcatnya.com · Dec 22, 2023, 14:11

keschi Θ @kescher@catcatnya.com

Dec 22, 2023, 14:11

psa, 37C3

To folks going to 37C3: Don't visit the talk about SMTP smuggling. The authors of it have not done responsible disclosure to postfix about a security vulnerability with some configurations (default configurations, in fact). Let them have empty seats.

**ari** @ar@is-a.cat · Dec 22, 2023, 14:16

**ari** @ar@is-a.cat · Dec 22, 2023, 14:16

Dec 22, 2023, 14:16

ari @ar@is-a.cat

re: psa, 37C3

@kescher Like seriously, I'd respect them more if they wouldn't notify anyone, instead of only notifying the corpos…

**Sven Slootweg (soft-deprecated)** @joepie91@pixie.town · 2023-12-22T14:41:46Z

Sven Slootweg (soft-deprecated) @joepie91@pixie.town

re: psa, 37C3

@ar @kescher Is there somewhere I can read more about this?

Dec 22, 2023, 14:41 · · Web · · ·

**keschi Θ** @kescher@catcatnya.com · Dec 22, 2023, 14:42

**keschi Θ** @kescher@catcatnya.com · Dec 22, 2023, 14:42

Dec 22, 2023, 14:42

keschi Θ @kescher@catcatnya.com

re: psa, 37C3

@joepie91 @ar Yes.

https://www.mail-archive.com/postfix-announce@postfix.org/msg00090.html

and of course, the blog of the wrongdoers: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

**Sven Slootweg (soft-deprecated)** @joepie91@pixie.town · Dec 22, 2023, 16:24

**Sven Slootweg (soft-deprecated)** @joepie91@pixie.town · Dec 22, 2023, 16:24

Dec 22, 2023, 16:24

Sven Slootweg (soft-deprecated) @joepie91@pixie.town

re: psa, 37C3

@kescher @ar The "oh we didn't realize we had to look further after Cisco told us it's fine" seems extremely disingenuous given that the research specifically identifies postfix as a large affected implementations (and given that they seemed to disagree with Cisco's assessment anyway)

Resources

Developers

What is Mastodon?

pixie.town

More…